Open Trusted Technology Provider™ Standard
(O-TTPS)
Assessment Procedures
Version 1.0
January 2014
© Copyright 2013-2014, The Open Group
All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior
permission of the copyright owner.
ArchiMate®, DirecNet®, Jericho Forum®, Making Standards Work®, OpenPegasus®, The Open Group®,
TOGAF®, and UNIX® are registered trademarks and Boundaryless Information Flow™, Build with
Integrity Buy with Confidence™, Dependability Through Assuredness™, FACE™, Open Platform 3.0™,
Open Trusted Technology Provider™, and The Open Group Certification Mark™ are trademarks of The
Open Group.
All other brands, company, and product names are used for identification purposes only and may be
trademarks that are the sole property of their respective owners.
Open Trusted Technology Provider™ Standard (O-TTPS):
Assessment Procedures
This update contains changes to The Open Group trademarks only.
Published by The Open Group, January 2014.
Comments relating to the material contained in this document may be submitted to:
The Open Group, 8 New England Executive Park, Burlington, MA 01803, United States
or by electronic mail to:
[email protected]
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
2
Contents
1. 2. A B C Introduction ........................................................................................................................................................ 4 1.1 Terminology .......................................................................................................................................... 4 1.2 Referenced Documents .......................................................................................................................... 4 O-TTPS Assessment ........................................................................................................................................... 5 2.1 Preparation for Accreditation ................................................................................................................ 7 2.2 Registering for Accreditation ................................................................................................................ 7 2.3 Completing the Conformance Statement Questionnaire ....................................................................... 7 2.4 Completing the ISCA Document .......................................................................................................... 7 2.5 Accreditation Authority Reviews and Approves the Conformance Statement and ISCA Document .. 8 2.6 Organization Selects an O-TTPS Recognized Assessor ....................................................................... 8 2.7 Organization Prepares Accreditation Package ...................................................................................... 8 2.8 Assessor Performs the Assessment ....................................................................................................... 8 2.9 Assessor Recommends Accreditation ................................................................................................... 9 2.10 Accreditation Authority Reviews the Accreditation Package Document ............................................. 9 2.11 Organization Signs Trademark License Agreement ............................................................................. 9 2.12 Accreditation Awarded .......................................................................................................................... 9 2.13 Withdrawal from the Accreditation Process ....................................................................................... 10 Assessment Guidelines ..................................................................................................................................... 11 A.1 General Guidance for Assessor Activities........................................................................................... 11 A.2 Audit Reports ...................................................................................................................................... 12 Assessor Activities for O-TTPS Requirements ................................................................................................ 13 B.1 PD_DES: Software/Firmware/Hardware Design Process ................................................................... 14 B.2 PD_CFM: Configuration Management ............................................................................................... 15 B.3 PD_MPP: Well-defined Development/Engineering Method Process and Practices ........................... 17 B.4 PD_QAT: Quality and Test Management ........................................................................................... 18 B.5 PD_PSM: Product Sustainment Management ..................................................................................... 20 B.6 SE_TAM: Threat Analysis and Mitigation ......................................................................................... 22 B.7 SE_VAR: Vulnerability Analysis and Response ................................................................................ 24 B.8 SE_PPR: Product Patching and Remediation ..................................................................................... 25 B.9 SE_SEP: Secure Engineering Practices .............................................................................................. 26 B.10 SE_MTL: Monitor and Assess the Impact of Changes in the Threat Landscape ............................... 28 B.11 SC_RSM: Risk Management .............................................................................................................. 29 B.12 SC_PHS: Physical Security ................................................................................................................. 31 B.13 SC_ACC: Access Controls .................................................................................................................. 32 B.14 SC_ESS: Employee and Supplier Security and Integrity .................................................................... 34 B.15 SC_BPS: Business Partner Security .................................................................................................... 35 B.16 SC_STR: Supply Chain Security Training .......................................................................................... 36 B.17 SC_ISS: Information Systems Security .............................................................................................. 37 B.18 SC_TTC: Trusted Technology Components ....................................................................................... 38 B.19 SC_STH: Secure Transmission and Handling .................................................................................... 39 B.20 SC_OSH: Open Source Handling ....................................................................................................... 41 B.21 SC_CTM: Counterfeit Mitigation ....................................................................................................... 43 B.22 SC_MAL: Malware Detection ............................................................................................................ 44 Recording Assessment Findings ....................................................................................................................... 45 C.1 Recording Final Observations ............................................................................................................. 45 C.2 Determining the Assessment Outcome ............................................................................................... 46 C.3 Completing the Assessment Report .................................................................................................... 46 Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
3
1.
Introduction
This document defines the procedures utilized by an Assessor when conducting an O-TTPS Assessment.
The primary audience for this document is the Assessor; however, an Organization that is undergoing
Assessment and needs to understand the requirements for accreditation in more depth may also find this
document useful.
1.1
Terminology
Refer to the Terminology section in the O-TTPS Accreditation Policy.
1.2
Referenced Documents
The following documents are referenced within this document:
•
Accreditation Requirements
•
Accreditation Package Document
•
Accreditation Policy
•
Implementation Selection Criteria Application (ISCA) Document
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
4
2.
O-TTPS Assessment
Figure 1 defines the symbols and colors that are used in the workflow diagrams and applies to all figures
within this document.
Symbol
Function
The start or end of the
process.
Color
Resource
Blue
Organization
A process, task, or action.
Green
Accreditation Authority
A decision. The answer or
response determines the
path to be taken.
Yellow
Assessor
The direction of the
process flow.
Orange
Document or other input
or output
Inputs or outputs.
Dark Blue
Purple
Problem Report Submitter
Specification Authority
Figure 1: Accreditation Workflow Legend
Figure 2 captures the procedures utilized by an Assessor when conducting an O-TTPS Assessment. Its
steps are described further in this section.
Assessors please note that all of the steps in the flowchart are included for informational purposes
and they align with those described in the O-TTPS Accreditation Policy. The Assessor’s
involvement is primarily with those activities described in steps 2.6 – 2.10. The activities expected of
Assessors and the guidelines for executing those activities are further described in Appendix A and
B.
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
5
Start
O-TTPS
(Standard)
Assessment
Procedures
Organization identifies
O-TTPS Processes
2.1
Organization becomes
familiar with the
O-TTPS Accreditation
Program requirements
2.2
Accreditation
Program
Guide
Accreditation
Policy
Accreditation
Requirements
Signed
Accreditation
Agreement
Accreditation
Fees
Accreditation
Fee Schedule
Conformance
Statement
Questionnaire
Organization registers for
accreditation with
Accreditation Authority
2.3- 2.4
Organization completes ISCA
Document and Conformance
Statement Questionnaire
Conformance
Statement
No
2.5
2.6
AA approves
Yes
Scope and Selected
Representative
Products?
Assessment
Procedures
Assessor performs
Assessment
2.9
Organization prepares
Accreditation Package
Organization has
additional evidence to
provide?
No
AA reviews Accreditation
Package Document
Organization wishes
to withdraw?
Success
Yes
2.13
AA
checks Trademark
License Agreement
signed?
No
No
Organization withdraws
from the accreditation
process
Organization revises
Scope of Accreditation
End
Re-enter at step 2.3
2.11
Yes
Yes
No
Yes
2.10
Trademark
License
Agreement
2.7
Evidence of
Conformance
Assessor
recommends
accreditation?
Accreditation
Package Document
template
Organization selects an
O-TTPS Recognized
Assessor
Accreditation
Package Document
2.8
Clarification
or rework
needed
Register of
O-TTPS Recognized
Assessors
ISCA
Document
Organization signs
Trademark License
Agreement
2.12
AA accredits as per scope on the
Conformance Statement
End
Accreditation
Certificate
Accreditation
Logo
Accreditation
Register
Entry
Figure 2: Assessment Procedures Workflow
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
6
2.1
Preparation for Accreditation
Prior to registering for accreditation, with a goal of ensuring that it is ready for entry into the O-TTPS
Accreditation Program, the Organization should become familiar with the Referenced and any other
informative documents, such as FAQs.
Once an Organization believes it is in conformance with the Accreditation Requirements for the defined
Scope of Accreditation, the Organization may register for accreditation.
2.2
Registering for Accreditation
The first step in the process is for the Organization to register its intent to be accredited by completing the
registration information and submitting it along with the Accreditation Agreement and accreditation fee to
the Accreditation Authority.
As part of the registration process, the Organization must specify the Organization's Accreditation
Contacts.
All notifications regarding this accreditation and any subsequent renewals will be sent by the
Accreditation Authority to the Accreditation Contacts. It is the responsibility of the Organization to
ensure that these Accreditation Contacts are kept up-to-date for the duration of the accreditation.
2.3
Completing the Conformance Statement Questionnaire
The Organization must produce a Conformance Statement using the Conformance Statement
Questionnaire. The Conformance Statement defines:
•
The legal entity applying for accreditation
•
The Scope of Accreditation for the proposed accreditation
•
Optionally, any defined exclusions (e.g., products, product lines, geographies, etc.) that the
Organization would like explicitly listed as outside the Scope of Accreditation
The O-TTPS Accreditation Program allows the Organization to choose its Scope of Accreditation. For
example, an Organization may accredit one or more individual products, by business unit, or enterprisewide.
2.4
Completing the ISCA Document
The Organization must complete the ISCA Document per the instructions within the document to the
satisfaction of the Accreditation Authority. The objective of this activity is to identify a subset of products
within the Scope of Accreditation that is representative of the Scope of Accreditation. All Selected
Representative Products will be assessed for conformance to the Accreditation Requirements.
The ISCA Document also contains a description of the methodology and rationale used to apply the
Implementation Selection Criteria in the selection and any other information that the Organization may
want to disclose to the Accreditation Authority to justify its Selected Representative Products.
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
7
2.5
Accreditation Authority Reviews and Approves the Conformance
Statement and ISCA Document
The Accreditation Authority will review the Conformance Statement and the ISCA Document. Since
there may be considerable variation between applications for accreditation in both the Scope of
Accreditation and the Selected Representative Products, the Accreditation Authority will also review
these documents for consistency across other O-TTPS accreditation applications and for appropriate
selection of products.
The Accreditation Authority will keep confidential and not share with the Assessor information related to
how the Organization applies the Implementation Selection Criteria and the methodology and rationale
used to choose the Selected Representative Products.
The Accreditation Authority must approve both the Conformance Statement, which includes the Scope of
Accreditation, and the ISCA Document, which includes the Selected Representative Products, before the
Organization can move forward in the Assessment process. The Accreditation Authority will respond to
the Organization within 20 days to provide approval or an explanation of any elements that need further
clarification or revision in the Conformance Statement or the ISCA Document.
2.6
Organization Selects an O-TTPS Recognized Assessor
The Organization chooses an O-TTPS Recognized Assessor from the register of O-TTPS Recognized
Assessors to perform its Assessment. This register will be maintained on the Accreditation Authority’s
website.
To be recognized by The Open Group as an O-TTPS Recognized Assessor, a company must meet the
criteria defined in the O-TTPS Recognized Assessor Agreement. The company must also enter into the
O-TTPS Recognized Assessor Agreement with the Accreditation Authority. The rationale and process for
removing an O-TTPS Recognized Assessor from the register of O-TTPS Recognized Assessors is defined
in the O-TTPS Recognized Assessor Agreement.
The Organization informs the Accreditation Authority which O-TTPS Recognized Assessor has been
engaged. Should the Organization subsequently change its choice of O-TTPS Recognized Assessor, the
Organization must notify the Accreditation Authority.
2.7
Organization Prepares Accreditation Package
After the Accreditation Authority approves the Selected Representative Products, the Organization
assembles the Accreditation Package, which consists of the Accreditation Package Document and the
Evidence of Conformance. The Accreditation Package Document contains a table for each requirement in
which the Organization must supply pointers to evidence that demonstrates conformance to that
requirement for every Selected Representative Product. The Evidence of Conformance is all material
referenced in the Accreditation Package Document and necessary to demonstrate conformance to the
Accreditation Requirements. The Organization submits the Accreditation Package to the Assessor.
2.8
Assessor Performs the Assessment
The Assessor assesses the Accreditation Package Document and the Evidence of Conformance it
references. Applying these Assessment Procedures, the Assessor determines whether the evidence
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
8
provided demonstrates the Organization's conformity to the Accreditation Requirements for each of the
Selected Representative Products.
The Assessor records comments regarding conformance to the Accreditation Requirements in the
Accreditation Package Document according to the instructions in these Assessment Procedures.
2.9
Assessor Recommends Accreditation
Once the Assessor has completed the Assessment Report and is able to recommend accreditation, both the
Organization and the Assessor review and sign the Assessment Report. The Assessor submits the updated
Accreditation Package Document, including the Assessment Report, to the Accreditation Authority.
This fully complete Accreditation Package Document forms the Accreditation Authority’s record of the
Assessment.
The Evidence of Conformance that was submitted to the Assessor remains with the Assessor and must be
archived for a period of at least six (6) years.
2.10
Accreditation Authority Reviews the Accreditation Package Document
The Accreditation Authority reviews the completed Accreditation Package Document for consistency and
completeness and to determine whether:
•
The Accreditation Package Document is complete.
•
The Assessment Report is unambiguous.
•
The content and style are consistent with the Accreditation Package Documents from other
O-TTPS accreditation applications.
If the Accreditation Authority believes the Assessor's findings are insufficient, then the Accreditation
Authority may require the Assessor to provide clarification or additional rationale to support the findings.
2.11
Organization Signs Trademark License Agreement
If the Organization has not previously completed a Trademark License Agreement for use of the
Accreditation Logo, it must be completed at this stage. The Accreditation Authority’s website contains
information on how to obtain and complete the Trademark License Agreement.
2.12
Accreditation Awarded
The Accreditation Authority will notify the Organization in writing of the outcome of the accreditation
process.
If the result is success and there is a Trademark License Agreement in place, the Accreditation Authority
will accredit the Organization.
Organizations have the option to delay listing their accreditation in the Accreditation Register as
described in Section 11.3. At the time of achieving accreditation, or of agreeing to publicly list if
previously delayed, the Accreditation Authority will issue an Accreditation Certificate, and enter the
Organization’s details into the Accreditation Register. The Organization will also be notified that the
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
9
Accreditation Logo may then be used according to the terms defined in the Trademark License
Agreement.
2.13
Withdrawal from the Accreditation Process
If an Organization decides to withdraw from the accreditation process, it must provide notification to the
Accreditation Authority that it is withdrawing; it is not required to provide a reason for withdrawal. In the
case of withdrawal, the Assessor is not required to provide the Accreditation Package Document to the
Accreditation Authority.
When informed of a withdrawal by the Organization, the Accreditation Authority will archive the
information that has thus far been provided to the Accreditation Authority. Any fees paid to the
Accreditation Authority will be forfeited. The Organization may re-apply for accreditation at a later date
though that application will be treated as a new application and, as such, will require payment of the
applicable accreditation fee for submission of a full set of documents, and a full Assessment, as per an
initial accreditation.
As an alternative to withdrawal, the Organization may submit a revised Scope of Accreditation to the
Accreditation Authority for approval. Effectively this means restarting the Assessment process with a
revised Conformance Statement and ISCA Document, and if they are approved by the Accreditation
Authority, then submitting a revised Accreditation Package. However, this differs from a re-application in
that some of the results of the previous Assessment may be re-used where appropriate. Only one such
revision of scope is permitted and a further revision would require a new application.
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
10
A
Assessment Guidelines
The activities expected of Assessors are described in this appendix. This appendix contains general
guidelines for the Assessor that should be read, understood, and followed during an Assessment.
Appendix B contains additional specific guidelines for the Assessor, arranged in table format with
specific guidelines for assessing each of the O-TTPS Requirements.
A.1
General Guidance for Assessor Activities
This section contains general guidance for all Assessor activities. In Appendix B there is specific
guidance associated with each requirement.
General Requirements for Evidence of Conformance
The Evidence of Conformance, demonstrating the existence of a process and the implementation of a
process provided by the Organization, shall meet the following requirements:
1. There are two categories of evidence required: process and implementation.
For process evidence, the types of evidence/artifacts listed in this document and in the ISCA
Document, Appendix B are required. This is because these types are generally cited as being
required in the O-TTPS and therefore are considered to be paramount in demonstrating
conformance and will help assure consistency across all accreditation applications.
For implementation evidence – that is, evidence that shows the process has been applied to the
Selected Representative Products – the types of evidence/artifacts listed in this document are
suggested/recommended types of evidence. This is because each Organization will likely have
different ways of demonstrating implementation of the processes, which may include a wide
variety of types of evidence.
2. The implementation evidence shall be related to the Selected Representative Products.
3. The implementation and process evidence provided must be sufficient to demonstrate
conformance to the requirement.
4. The evidence provided should cover the period of time for which the claimed process has been
implemented for the Selected Representative Product.
5. There may be one or more processes identified for each attribute; this will be evident from the
Attribute to Process Mapping tables in the Accreditation Package Document. Therefore, in some
cases it is acceptable for a requirement to be met by evidence from more than one formal process.
6. Evidence specified in the tables within this document indicates the expectations of content. The
specific names of items and the location of information and document names used within the
supplied Evidence of Conformance may vary and is acceptable so long as conformance to the
requirement is shown.
7. Terminology used in identifying Evidence of Conformance by Organizations may differ from that
used by the O-TTPS provided that the terms are understood by the Organization and the Assessor.
8. For some requirements, there are specific guidelines included in Appendix B. This guidance is
there to aid the Assessor. Since some of the specific guidelines may be non-normative as they
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
11
relate to the requirement, failure to provide evidence to meet the specific guidance is not
necessarily a non-conformance if appropriate alternate evidence is provided. However, the
Assessor should consider whether the evidence provided is sufficient and, if not, then a nonconformance may be appropriate. As a minimum, the Assessor should note an observation that
the guidance was not followed.
9. For those O-TTPS Requirements related to training programs, the purpose of receiving the
training artifacts evidence is to ensure that the training occurs, not to judge the effectiveness of
the training.
10. The term “routinely” is used occasionally in the O-TTPS. For Assessment purposes you should
check that the period is defined. However, the Organization should provide a rationale for the
stated period.
11. When photographic or video evidence is provided as Evidence of Conformance, it should be
current and be indicative of how an Organization is currently applying its processes.
12. There are many security mechanisms that could be used and referenced in the Evidence of
Conformance; e.g., digital signatures, encryption, hashing, and bound mechanisms. The
mechanism employed by the Organization should be related to the risk analysis of the medium
and environment in which the release is made.
13. The Assessor must maintain a log of their activities, which will be made available to the
Accreditation Authority upon request, such that the Assessment is able to be repeated. The log
should contain supplementary information about the Assessment Methodology used for each
requirement, such as: who was interviewed (names and roles), on what topic, what evidence was
reviewed, evidence identifier as indicated in the evidence tables, date, and location of the
interview, whether the location was physical or virtual.
A.2
Audit Reports
Internal audit or assessment reports are acceptable types of evidence for all requirements, even if this is
not explicitly stated in the evidence section of the Evidence of Conformance table. However, Assessors
must be satisfied that the audit results are comprehensive (they cover all of the O-TTPS attributes) and
complete, and that identified corrective actions have been cleared in a timely fashion. A small number of
spot checks – for example, 10% of the requirements – are the minimum required for initial Assessment to
verify the efficiency of an internal audit program.
In all cases, when an audit report is submitted as Evidence of Conformance the Assessor shall ensure that:
•
The audits were performed by an auditor that is independent from the process being assessed.
•
The scope of the audit includes the processes and implementation evidence associated with the
Selected Representative Products.
•
The audit reports address relevant O-TTPS Requirements and attributes.
•
The Selected Representative Products are included in the scope of the audits.
•
The audit was performed within 12 months prior to this Assessment.
The audit report indicates that the requirements are met successfully or that any identified corrective
actions have been addressed (i.e., have been cleared or in the process of being cleared).
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
12
B
Assessor Activities for O-TTPS Requirements
This appendix provides specific Assessor activities for each O-TTPS Requirement. The tables in this
appendix are arranged as follows:
•
There is an overall heading for each attribute, which includes the name and acronym for the
attribute, the definition of the attribute, and a reference to where in the O-TTPS the attribute and
associated requirements can be found.
•
Under each attribute heading there are tables for every O-TTPS Requirement associated with that
attribute. Each table contains the acronym for the O-TTPS Requirement, along with the exact
wording of the O-TTPS Requirement.
Each table also includes the following fields:
•
Assessment Type: Indicates whether the Evidence of Conformance to be provided/assessed is
Process Evidence, Implementation Evidence, or both.
•
Related Requirements: Indicates which other O-TTPS Requirements should be considered in
the Assessment of this requirement.
•
Specific Guidelines for Assessor Activities: Provides additional guidance for the specific
requirement – if any.
•
Evidence of Conformance (Process): Indicates the types of process evidence that must be
provided for each requirement.
•
Evidence of Conformance (Implementation): Indicates the types of implementation evidence
that are suggested/recommended.
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
13
B.1
PD_DES: Software/Firmware/Hardware Design Process
Attribute Definition
A formal process exists that defines and documents how the requirements are translated into a product
design.
O-TTPS Reference
Section 4.1.1.1.
Assessor Activity Tables
PD_DES.01
A process shall exist that assures the requirements are addressed in the design.
Assessment Type
Process and Implementation
Related Requirements
SC_TAM.02
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Product Requirements Management Process
Product Design Process
Evidence of Conformance
(Implementation)
Design artifacts, requirements traceability report, quality assurance, audit reports
PD_DES.02
Product requirements shall be documented.
Assessment Type
Implementation
Related Requirements
SC_OSH.02
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Product requirements document
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
14
B.2
PD_CFM: Configuration Management
Attribute Definition
A formal process and supporting systems exist which assure the proper management, control, and
tracking of change to product development and manufacturing assets and artifacts.
O-TTPS Reference
Section 4.1.1.2.
Assessor Activity Tables
PD_CFM.01
A documented formal process shall exist which defines the configuration
management process and practices.
Assessment Type
Process and Implementation
Related Requirements
None.
Specific Guidelines for
Assessor Activities
The configuration management process should include change management or
separate process documentation should exist that covers change management.
Evidence of Conformance
(Process)
Configuration Management Process
Evidence of Conformance
(Implementation)
CM reports, build reports, CM tooling, CM artifacts, CM applications, tools, build
tools, change control applications
PD_CFM.02
Baselines of identified assets and artifacts under configuration management shall
be established.
Assessment Type
Implementation
Related Requirements
CD_MPP.02
Specific Guidelines for
Assessor Activities
Baselines should be current and include the artifacts that constitute each product.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Product baselines in the CM system
PD_CFM.03
Changes to identified assets and artifacts under configuration management shall be
tracked and controlled.
Assessment Type
Process and Implementation
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
15
Related Requirements
SC_OSH.03
Specific Guidelines for
Assessor Activities
Starting with a change request to the Selected Representative Product(s) trace that
the process for change management process has been implemented.
Evidence of Conformance
(Process)
Change Management Process
Evidence of Conformance
(Implementation)
Problem reports, change reviews, build reports, requests for changes, build/scope
review
PD_CFM.05
Access to identified assets and artifacts and supporting systems shall be protected
and secured.
Assessment Type
Process and Implementation
Related Requirements
SC_ACC.all
Specific Guidelines for
Assessor Activities
An access control policy should exist and it should describe the access control
policy for each of the artifacts and assets identified in the assessment of
PD_CFM.02 and supporting systems. This includes physical access control
policies and logical access control policies. The Assessor shall check that the
evidence demonstrates that the access control policy has been implemented.
Evidence of Conformance
(Process)
Security Controls: Access Control Policies & Procedures
Evidence of Conformance
(Implementation)
Security audit reports, CM access control, problem tracking access control, build
management access control, access controls to physical artifacts, role-based or
identity-based access controls, list of supporting systems
PD_CFM.06
A formal process shall exist that establishes acceptance criteria for work products
accepted into the product baseline.
Assessment Type
Process and Implementation
Related Requirements
PD_QAT.all
Specific Guidelines for
Assessor Activities
The acceptance criteria for each artifact and asset (configuration item) that forms
part of the baseline should be defined.
NOTE: Types of artifacts and assets may include, but are not limited to: source
code, open source code, binary code, components, sub-assemblies, drivers, and
documentation such as product manuals and configuration guides.
Evidence of Conformance
(Process)
Product Development Process
Evidence of Conformance
(Implementation)
Signed or acknowledged acceptance and compliance records, reports or output
from the process gate reviews, business process flows
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
16
B.3
PD_MPP: Well-defined Development/Engineering Method Process and
Practices
Attribute Definition
Development/engineering processes and practices are documented, and managed and followed across the
life cycle.
O-TTPS Reference
Section 4.1.1.3.
Assessor Activity Tables
PD_MPP.02
The development/engineering process shall be able to track, as appropriate,
components that are proven to be targets of tainting or counterfeiting as they
progress through the life cycle.
Assessment Type
Process and Implementation
Related Requirements
PD_CFM.03, SC_MAL.01
Specific Guidelines for
Assessor Activities
The process should cover identifying and labeling components that are judged by
the Organization as requiring tracking throughout the development/engineering life
cycle.
Evidence of Conformance
(Process)
Product Development Process
Evidence of Conformance
(Implementation)
List of components that have been identified as requiring tracking targets of
tainting/counterfeiting, CM tool
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
17
B.4
PD_QAT: Quality and Test Management
Attribute Definition
Quality and test management is practiced as part of the product development/engineering life cycle.
O-TTPS Reference
Section 4.1.1.4.
Assessor Activity Tables
PD_QAT.01
There shall be a quality and test product plan that includes quality metrics and
acceptance criteria.
Assessment Type
Implementation
Related Requirements
PD_MPP.02, SC_TTC.01
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Quality Assurance Process, Product Test Process
Evidence of Conformance
(Implementation)
Quality and test product plan, documented acceptance criteria
PD_QAT.02
Testing and quality assessment activities shall be conducted according to the plan.
Assessment Type
Implementation
Related Requirements
SE_TAM.03, SC_TTC.01
Specific Guidelines for
Assessor Activities
The Assessor reviews the Evidence of Conformance related to QA of the work
products under development.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Test reports which address the acceptance criteria, QA audit report, QA tracking,
QA and test plan
PD_QAT.03
Products or components shall meet appropriate quality criteria throughout the life
cycle.
Assessment Type
Implementation
Related Requirements
PD_CFM.06, SC_TTC.01
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
18
Specific Guidelines for
Assessor Activities
Note that “full life cycle” should be interpreted as throughout the
development/engineering life cycle.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Test reports, QA audit report, QA tracking, QA plan
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
19
B.5
PD_PSM: Product Sustainment Management
Attribute Definition
Product support, release maintenance, and defect management are product sustainment services offered to
acquirers while the product is generally available. These services can be provided free or for a fee.
O-TTPS Reference
Section 4.1.1.5.
Assessor Activity Tables
PD_PSM.01
A release maintenance process shall be implemented.
Assessment Type
Process and Implementation
Related Requirements
PD_QAT.03, PD_CFM.03, SC_MAL.02
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Product Release Maintenance Process
Evidence of Conformance
(Implementation)
Design change requests, product update descriptions, defect reports
PD_PSM.02
Release maintenance shall include a process for notification to acquirers of product
updates.
Assessment Type
Process and Implementation
Related Requirements
SC_BPS.01
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Product Release Maintenance Process
Evidence of Conformance
(Implementation)
Acquirer notification example
PD_PSM.03
Release maintenance shall include a product update process, which uses security
mechanisms.
Assessment Type
Process and Implementation
Related Requirements
SC_RSM.all, SC_STH.all
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
20
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Product Defect Management Process
Evidence of Conformance
(Implementation)
Security audit report that covers updates, representative updates showing the
Organization’s security mechanisms being used
PD_PSM.04
A defect management process shall be implemented.
Assessment Type
Process and Implementation
Related Requirements
None.
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Product Defect Management Process
Evidence of Conformance
(Implementation)
Evidence of a defect management process, defect reports
PD_PSM.05
The defect management process shall include: a documented feedback and problem
reporting process.
Assessment Type
Process and Implementation
Related Requirements
PD_MPT.02, SC_RSM.all, PD_DES.01
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Problem Reporting Process, Product Defect Management Process
Evidence of Conformance
(Implementation)
Product failure reports, problem reports, change requests, product QA reports
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
21
B.6
SE_TAM: Threat Analysis and Mitigation
Attribute Definition
Threat analysis and mitigation identify a set of potential attacks on a particular product or system and
describe how those attacks might be perpetrated and the best methods of preventing or mitigating
potential attacks.
O-TTPS Reference
Section 4.1.2.1.
Assessor Activity Tables
SE_TAM.01
Product architecture and design shall be assessed against potential attacks to gain
an understanding of the threat landscape.
Assessment Type
Process and Implementation
Related Requirements
SC_RSM.all, PD_DES.all
Specific Guidelines for
Assessor Activities
The Assessor need not assess the Organization’s understanding of the relevant
threat landscapes, even though a basic understanding of the threat landscape is a
pre-requisite to such an analysis. However, it should be noted that the
understanding of the threat landscape would usually be better understood as a
result of this activity.
Evidence of Conformance
(Process)
Product Design Process
Evidence of Conformance
(Implementation)
A list of known potential attacks, threat assessment against product architecture
and design, vulnerability analysis during all phases, relevant threat analysis reports
SE_TAM.02
Threat mitigation strategies for tainted and counterfeit products shall be
implemented as part of product development.
Assessment Type
Process and Implementation
Related Requirements
PD_DES.01
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Product Development Process
Evidence of Conformance
(Implementation)
Process and method artifacts
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
22
SE_TAM.03
Threat analysis shall be used as input to the creation of test plans and cases.
Assessment Type
Process
Related Requirements
PD_QAT.02
Specific Guidelines for
Assessor Activities
The Assessor may choose to consider how threat analysis, from SE_TAM.01, is
used as input to the creation of test plans and cases during the analysis of
PD_QAT.01.
Evidence of Conformance
(Process)
Product Test Process
Evidence of Conformance
(Implementation)
None.
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
23
B.7
SE_VAR: Vulnerability Analysis and Response
Attribute Definition
Vulnerability analysis is the process of determining whether a product contains vulnerabilities and
categorizing their potential severity.
O-TTPS Reference
Section 4.1.2.3.
Assessor Activity Tables
SE_VAR.01
Techniques and practices for vulnerability analysis shall be utilized. Some
techniques include: code review, static analysis, penetration testing, white/black
box testing, etc.
Assessment Type
Process and Implementation
Related Requirements
SE_TAM.01, SE_PPR.03
Specific Guidelines for
Assessor Activities
According to the attribute, the definition of vulnerability analysis is the process of
determining whether a product contains vulnerabilities and categorizing their
potential severity; therefore, the potential severity of vulnerabilities should be
categorized.
Evidence of Conformance
(Process)
Vulnerability: Analysis Process
Evidence of Conformance
(Implementation)
Attacks, identified in SE_TAM.01, must be reflected in the vulnerability analysis,
using, for example, the following: code scanning reports, build reports, code
review documentation, penetration testing reports, test results
SE_VAR.03
A process shall exist for governing notification of newly discovered and
exploitable product vulnerabilities.
Assessment Type
Process and Implementation
Related Requirements
SC_BPS.01
Specific Guidelines for
Assessor Activities
The governing process should include a description of who should be notified.
Evidence of Conformance
(Process)
Vulnerability: Analysis Process
Evidence of Conformance
(Implementation)
List of newly discovered exploitable product vulnerabilities and evidence of the
appropriate distribution; some examples are: Product Security Incident Response
Team (PSIRT) process documentation, PSIRT reports, email records of
notifications
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
24
B.8
SE_PPR: Product Patching and Remediation
Attribute Definition
A well-documented process exists for patching and remediating products. Priority is given to known
severe vulnerabilities.
O-TTPS Reference
Section 4.1.2.4.
Assessor Activity Tables
SE_PPR.01
There shall be a well-documented process for patching and remediating products.
Assessment Type
Process and Implementation
Related Requirements
PD_CFM.03, PD_PSM.all
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Product Patching and Remediation Process
Evidence of Conformance
(Implementation)
Problem reports, patching schedules, release roadmap, release notifications, change
requests, etc.
SE_PPR.03
Remediation of vulnerabilities shall be prioritized based on a variety of factors,
including risk.
Assessment Type
Process and Implementation
Related Requirements
PD_PSM.all, SC_RSM.all, SC_VAR.01
Specific Guidelines for
Assessor Activities
As stated in the attribute definition, vulnerability assessment review should utilize
the criteria for prioritization of the remediation of vulnerabilities that are defined
by the Organization.
Evidence of Conformance
(Process)
Vulnerability: Remediation Process
Evidence of Conformance
(Implementation)
Implementation evidence as defined in the process documentation; for example,
bug and defect reports, change management documentation for resolutions of
vulnerability defects, vulnerability checklists, and vulnerability assessment review
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
25
B.9
SE_SEP: Secure Engineering Practices
Attribute Definition
Secure engineering practices are established to avoid the most common engineering errors that lead to
exploitable product vulnerabilities.
O-TTPS Reference
Section 4.1.2.5.
Assessor Activity Tables
SE_SEP.01
Secure coding practices shall be utilized to avoid common coding errors that lead
to exploitable product vulnerabilities. For example, user input validation, use of
appropriate compiler flags, etc.
Assessment Type
Process and Implementation
Related Requirements
SE_TAM.all, SE_VAR.all
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Product Development Process
Evidence of Conformance
(Implementation)
Acceptable coding patterns, results from tooling that enforces coding patterns,
results from manual code reviews, minimize footprint
SE_SEP.02
Secure hardware design practices (where applicable) shall be employed. For
example, zeroing out memory and effective opacity.
Assessment Type
Process and Implementation
Related Requirements
SE_TAM.all, SE_VAR.all
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Product Design Process
Evidence of Conformance
(Implementation)
Evidence that design practices are implemented such as: assets from secure
deliverables, results from tooling that enforces secure design practices, results from
manual review of the application of secure design practices
SE_SEP.03
Training on secure engineering practices shall be provided to the appropriate
personnel on a regular basis consistent with changing practices and the threat
landscape.
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
26
Assessment Type
Process and Implementation
Related Requirements
SE_SEP.all, SE_TAM.01, SE.MTL.02
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Training Process
Evidence of Conformance
(Implementation)
Evidence that training has been provided such as training artifacts; for example,
training certificates, Computer-Based Training (CBT), training attendance statistics
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
27
B.10
SE_MTL: Monitor and Assess the Impact of Changes in the Threat
Landscape
Attribute Definition
The threat landscape is monitored and the potential impacts of changes in the threat landscape are
assessed on development/engineering practices, tools, and techniques.
O-TTPS Reference
Section 4.1.2.6.
Assessor Activity Tables
SE_MTL.02
Changes to the development/engineering practices, tools, and techniques shall be
assessed in light of changes to the threat landscape.
Assessment Type
Process and Implementation
Related Requirements
SE_TAM.01, PD_CFM.03
Specific Guidelines for
Assessor Activities
There may, or may not have been changes, but a process should exist to govern
such change.
Evidence of Conformance
(Process)
Process Improvement Process
Evidence of Conformance
(Implementation)
Quality engineering/management review, changed secure engineering practices,
the applicant's assessment of the development/engineering practices, tools, and
techniques in light of changes to the threat landscapes
SE_MTL.03
The cause of product vulnerabilities shall be evaluated and appropriate changes to
the development/engineering practices, tools, and techniques identified to mitigate
similar vulnerabilities in the future.
Assessment Type
Process and Implementation
Related Requirements
SE_VAR.01
Specific Guidelines for
Assessor Activities
There may, or may not have been changes, but a process should exist to govern
such change.
Evidence of Conformance
(Process)
Vulnerability: Root Cause Analysis Process, Process Improvement Process
Evidence of Conformance
(Implementation)
Changed secure engineering practices, the applicant's assessment of the
development/engineering practices, tools, and techniques in light of changes to the
vulnerability analysis
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
28
B.11
SC_RSM: Risk Management
Attribute Definition
The management of supply chain risk around tainted and counterfeit components and products includes
the identification, assessment, prioritization, and mitigation of business, technical, and operational risks.
O-TTPS Reference
Section 4.2.1.1.
Assessor Activity Tables
SC_RSM.02
Supply chain risk identification, assessment, prioritization, and mitigation shall be
conducted.
Assessment Type
Process and Implementation
Related Requirements
PD_MPP.02
Specific Guidelines for
Assessor Activities
Supply chain risk identification, assessment, prioritization, and mitigation shall be
conducted.
Evidence of Conformance
(Process)
Risk Management Process
Evidence of Conformance
(Implementation)
Supply chain risk/business continuity planning policy documents, playbooks
reflecting how to handle supply chain disruption, post-incident summary
documents
SC_RSM.03
The output of risk identification, assessment, and prioritization shall be addressed
by a mitigation plan, which shall be documented.
Assessment Type
Implementation
Related Requirements
PD_RSM.02
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Mitigation plan, output from the risk identification assessment
SC_RSM.04
The output of risk identification, assessment, and prioritization shall be addressed
by a mitigation plan, which shall be followed routinely.
Assessment Type
Implementation
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
29
Related Requirements
SC_CTM.04
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Evidence that risk management plan has been followed, component qualification
data/reports, snapshot of applicable risk management tools, change history on risk
assessment plan, evidence supporting the frequency of updates/reviews matches
that described in the risk management process
SC_RSM.06
Supply chain risk management training shall be incorporated in a provider’s
organizational training plan, which shall be reviewed periodically and updated as
appropriate.
Assessment Type
Implementation
Related Requirements
SC_STR.01
Specific Guidelines for
Assessor Activities
The purpose of receiving the training artifacts evidence is to ensure that the
training occurs, not to judge the effectiveness of the training.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Training plan, includes supply chain training (refer to note 3)
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
30
B.12
SC_PHS: Physical Security
Attribute Definition
Physical security procedures are necessary to protect development assets and artifacts, manufacturing
processes, the plant floor, and the supply chain.
O-TTPS Reference
Section 4.2.1.2.
Assessor Activity Tables
SC_PHS.01
Risk-based procedures for physical security shall be established and documented.
Assessment Type
Process
Related Requirements
SC_RSM.all
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Risk Management Process: Physical Security
Evidence of Conformance
(Implementation)
None.
SC_PHS.02
Risk-based procedures for physical security shall be followed routinely.
Assessment Type
Implementation
Related Requirements
SC_STR.01
Specific Guidelines for
Assessor Activities
The evidence supplied should be related to the procedures; e.g., if the procedure
says CCTV is a control, then appropriate CCTV video would be expected to be
provided as Evidence of Conformance.
Refer to General Requirements for Evidence of Conformance within this
document.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Photographs of the relevant physical security controls; for example, cages, doors,
loading bays, fences, rooftop, ceiling, cabling, etc., snapshots of audit reports,
CCTV video, video of implementation of personnel ingress/egress searches,
security logs
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
31
B.13
SC_ACC: Access Controls
Attribute Definition
Proper access controls are established for the protection of product-relevant intellectual property against
the introduction of tainted and counterfeit components where applicable in the supply chain.
O-TTPS Reference
Section 4.2.1.3.
Assessor Activity Tables
SC_ACC.01
Access controls shall be established and managed for product-relevant intellectual
property and assets and artifacts. Assets and artifacts include controlled elements
related to the development/manufacturing of a provider’s product.
Assessment Type
Process and Implementation
Related Requirements
PD_MPP.02, SC_RSM(ALL), SC_ISS.01
Specific Guidelines for
Assessor Activities
The Assessor is not required to determine the effectiveness or appropriateness of
access policy. Note that the following requirements are to be viewed as a whole;
the intent is to show that access policies are in place and are being followed.
Evidence of Conformance
(Process)
Security Controls: Access Control Policies & Procedures
Evidence of Conformance
(Implementation)
System password and access policies, actual audit reflecting an individual’s use of
access controls, actual audit reflecting badge-based physical access, transport
tracking, inventory account reports
SC_ACC.02
Access controls established and managed for product-relevant intellectual property
and assets and artifacts shall be documented.
Assessment Type
Implementation
Related Requirements
None.
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Supplier premises logs, access control lists, access logs, NDA agreements
SC_ACC.03
Access controls established and managed for product-relevant intellectual property
and assets and artifacts shall be followed routinely.
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
32
Assessment Type
Implementation
Related Requirements
SC_ISS.01
Specific Guidelines for
Assessor Activities
Refer to General Requirements for Evidence of Conformance within this document
regarding “routinely”.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Photographs, CCTV video, video of implementation of personnel ingress/egress
searches, access Logs, badges, time clock reports, split key reports
SC_ACC.05
Access controls established and managed for product-relevant intellectual property
and assets and artifacts shall employ the use of access control auditing.
Assessment Type
Implementation
Related Requirements
None.
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Security Controls: Access Control Audit Process
Evidence of Conformance
(Implementation)
Audit reports or communications to management of audit results or internal SC
security metric reports
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
33
B.14
SC_ESS: Employee and Supplier Security and Integrity
Attribute Definition
Background checks are conducted for employees and contractors whose activities are directly related to
sensitive product supply chain activities.
A Trusted Technology Provider has a set of applicable business conduct guidelines for their employee
and supplier communities.
A Trusted Technology Provider obtains periodic confirmation that suppliers are conducting business in a
manner consistent with principles embodied in industry conduct codes, such as the Electronic Industry
Citizenship Coalition (EICC) Code of Conduct.
O-TTPS Reference
Section 4.2.1.4.
Assessor Activity Tables
SC_ESS.01
Proof of identity shall be ascertained for all new employees and contractors
engaged in the supply chain, except where prohibited by law.
Assessment Type
Process and Implementation
Related Requirements
None.
Specific Guidelines for
Assessor Activities
Typically, this may be part of the hiring process, but needs to be explicitly part of
that process. Assessors are checking identity not legality. Implementation evidence
may be varied by country.
Evidence of Conformance
(Process)
HR Identity Check Process
Evidence of Conformance
(Implementation)
Evidence that the identity is verified by the Organization
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
34
B.15
SC_BPS: Business Partner Security
Attribute Definition
Business partners follow the recommended supply chain security best practice requirements specified by
the O-TTPS.
Periodic confirmation is requested that business partners are following the supply chain security best
practices requirements specified by the O-TTPS.
O-TTPS Reference
Section 4.2.1.5.
Assessor Activity Tables
SC_BPS.01
Supply chain security best practices (e.g., O-TTPS) shall be recommended to
relevant business partners.
Assessment Type
Implementation
Related Requirements
SC_CTM.01, SE_VAR.03, PD_PSM.02
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Communication reflecting recommended practices, security requirements for
suppliers, supplier assessment records reflecting security aspects, list of relevant
business partners and best practices
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
35
B.16
SC_STR: Supply Chain Security Training
Attribute Definition
Personnel responsible for the security of supply chain aspects are properly trained.
O-TTPS Reference
Section 4.2.1.6.
Assessor Activity Tables
SC_STR.01
Training in supply chain security procedures shall be given to all appropriate
personnel.
Assessment Type
Implementation
Related Requirements
SC_ACC.03, SC_PHS.02, SC_RSM.06
Specific Guidelines for
Assessor Activities
The Assessor does not need to determine what “appropriate” means; this is defined
by the Organization.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Training materials, minutes or materials from informational, training artifacts,
training attendance statistics, training certificates, computer-based training, a list of
appropriate personnel
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
36
B.17
SC_ISS: Information Systems Security
Attribute Definition
Supply Chain information systems properly protect data through an appropriate set of security controls.
O-TTPS Reference
Section 4.2.1.7.
Assessor Activity Tables
SC_ISS.01
Supply chain data shall be protected through an appropriate set of security controls.
Assessment Type
Implementation
Related Requirements
SC_ACC.all
Specific Guidelines for
Assessor Activities
Supply chain data may include electronic transactions, orders, routing and transit
information, and specifications.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
List of the types of supply chain data that are protected, list of associated security
controls
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
37
B.18
SC_TTC: Trusted Technology Components
Attribute Definition
Supplied components are evaluated to assure that they meet component specification requirements.
Suppliers follow supply chain security best practices with regard to supplied components (e.g., O-TTPS).
O-TTPS Reference
Section 4.2.1.8.
Assessor Activity Tables
SC_TTC.01
The quality of supplied components shall be assessed against the component
specification requirements.
Assessment Type
Process and Implementation
Related Requirements
SC_RSM.02, PD_QAT.all
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Quality Assurance Process
Evidence of Conformance
(Implementation)
Component specifications, component quality conformance reports, identification
of high-risk components
SC_TTC.02
Counterfeit components shall not knowingly be incorporated into products.
Assessment Type
Process
Related Requirements
PD_MPP.02, SC_RSM.all, SC_CTM.all
Specific Guidelines for
Assessor Activities
Note that it is not possible to assess whether the policy has been implemented.
Evidence of Conformance
(Process)
Policy on Use of Counterfeit Components
Evidence of Conformance
(Implementation)
None.
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
38
B.19
SC_STH: Secure Transmission and Handling
Attribute Definition
Secure transmission and handling of assets and artifacts during delivery is needed to lower the risk of
product tampering while in transit to their destination.
O-TTPS Reference
Section 4.2.1.9.
Assessor Activity Tables
SC_STH.01
Secure transmission and handling controls shall be established and documented.
Assessment Type
Process and Implementation
Related Requirements
SC_ISS.01
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Risk Management Process, Security Controls: Secure Transmission and Handling
Evidence of Conformance
(Implementation)
Photos reflecting CCTV use in manufacturing operations and product transfer
locations, review of a portion of CCTV video to validate operation of CCTV
SC_STH.02
Secure transmission and handling controls shall be designed to lower the risk of
physical tampering with assets and artifacts that are physically transported.
Assessment Type
Process and Implementation
Related Requirements
None.
Specific Guidelines for
Assessor Activities
Note that the Assessor is not required to determine the effectiveness of the controls
themselves.
Evidence of Conformance
(Process)
Risk Management Process, Security Controls: Secure Transmission and Handling
Evidence of Conformance
(Implementation)
Packaging, security tape, shipping logs, badges, and guards bonded transport,
photographic evidence, interviews with security staff
SC_STH.03
Secure transmission and handling controls shall be designed to lower the risk of
tampering with assets and artifacts that are electronically transmitted.
Assessment Type
Process and Implementation
Related Requirements
None.
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
39
Specific Guidelines for
Assessor Activities
The Assessor is not required to determine the effectiveness of the controls
themselves.
Evidence of Conformance
(Process)
Risk Management Process, Electronic Delivery Process, Security Controls: Secure
Transmission and Handling
Evidence of Conformance
(Implementation)
Demonstrated use of encryption, SFTP servers, access controls
SC_STH.04
Secure transmission and handling controls shall be followed routinely.
Assessment Type
Implementation
Related Requirements
SC_STR.01
Specific Guidelines for
Assessor Activities
Refer to item 3 of Section A.1 of this document.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Demonstrated use of encryption, SFTP servers, access controls
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
40
B.20
SC_OSH: Open Source Handling
Attribute Definition
Open Source components are managed as defined by the best practices within the O-TTPS for Product
Development/ Engineering methods and Secure Development/Engineering methods.
O-TTPS Reference
Section 4.2.1.10.
Assessor Activity Tables
SC_OSH.02
In the management of Open Source assets and artifacts, components sourced shall
be identified as derived from well-understood component lineage.
Assessment Type
Process and Implementation
Related Requirements
PD-CFM.02, PD_CFM.03, PD_DES.02
Specific Guidelines for
Assessor Activities
Verify that a sample Open Source component's lineage is tracked and identified in
the software development lifecycle tools.
Evidence of Conformance
(Process)
Product Development Process
Evidence of Conformance
(Implementation)
Records of component lineage derivation for the open sourced components
SC_OSH.03
In the management of Open Source assets and artifacts, components sourced shall
be subject to well-defined acceptance procedures that include asset and artifact
security and integrity before their use within a product.
Assessment Type
Process and Implementation
Related Requirements
PD_CFM.06, PD_QAT.01, SC_MAL.all
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Product Test Process
Evidence of Conformance
(Implementation)
Security and integrity checking might include activities such as checking hash
values of included open source code, vulnerability analysis, and performing
malware checks
SC_OSH.04
For such sourced components, responsibilities for ongoing support and patching
shall be clearly understood.
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
41
Assessment Type
Process and Implementation
Related Requirements
PD_CFM.03, PD_PSM.all
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Product Support Policy
Evidence of Conformance
(Implementation)
The Applicant’s point of contact for customers to request support and patching
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
42
B.21
SC_CTM: Counterfeit Mitigation
Attribute Definition
Practices are deployed to manufacture, deliver, and service products that do not contain counterfeit
components.
Practices are deployed to preclude the unauthorized use of scrap from the hardware manufacturing
process.
O-TTPS Reference
Section 4.2.1.11.
Assessor Activity Tables
SC_CTM.01
Instances of counterfeit activity relating to products shall be reviewed and an
appropriate response sent.
Assessment Type
Process and Implementation
Related Requirements
PD_MPP.02, SC_BPS.01, SE_VAR.03
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Counterfeit Review and Response Policy
Evidence of Conformance
(Implementation)
Records showing the monitoring of grey market activities, copies of portions of
investigation reports and action plans upon counterfeit findings, records of
appropriate response sent
SC_CTM.04
Techniques shall be utilized as applicable and appropriate to mitigate the risk of
counterfeiting, such as security labeling and scrap management techniques.
Assessment Type
Process and Implementation
Related Requirements
SC_RSM.04. SC_PHS.all, SC_ACC.05
Specific Guidelines for
Assessor Activities
None.
Evidence of Conformance
(Process)
Security Controls: Risk Management Process, Anti-counterfeit Controls
Evidence of Conformance
(Implementation)
List of high-risk item that are subject to these controls, scrap handling procedures,
demonstrations of use of labeling and photo of labeling, demonstration of results
arising from use of anti-counterfeit technology, demonstration/observation/photos
of their use, holograms, inks, RFID, etc.
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
43
B.22
SC_MAL: Malware Detection
Attribute Definition
Practices are employed that preclude as far as practical the inclusion of malware in components received
from suppliers and components or products delivered to customers or integrators.
O-TTPS Reference
Section 4.2.1.12.
Assessor Activity Tables
SC_MAL.01
One or more up-to-date commercial malware detection tools shall be deployed as
part of the code acceptance and development processes.
Assessment Type
Implementation
Related Requirements
SC_CFM.04, PD_QAT.01
Specific Guidelines for
Assessor Activities
The processes for this are described in the related requirements. The Assessor
should ensure that the acceptance criteria include malware detection.
Since some systems may be proprietary or otherwise may not have commercial
malware detection tools, this is a non-conformity and the rationale for this must be
included in the assessment report.
Evidence of Conformance
(Process)
None.
Evidence of Conformance
(Implementation)
Acceptance procedures requiring the use of malware detection tools, demonstration
and/or copies of records showing application of malware detection tools to code in
the development stage, up-to-date signatures being used in the detection tool
SC_MAL.02
Malware detection techniques shall be used before final packaging and delivery
(e.g., scanning finished products and components for malware using one or more
up-to-date malware detection tools).
Assessment Type
Process and Implementation
Related Requirements
SC_CFM.04, PD_QAT.01, PD_QAT.03, PD_PSM.01
Specific Guidelines for
Assessor Activities
The processes for this may be described in the related requirements. The Assessor
should ensure that the criteria for release include malware detection.
Evidence of Conformance
(Process)
Quality Assurance Process
Evidence of Conformance
(Implementation)
Release procedures requiring the use of malware detection tools, demonstration
and/or copies of records showing application of malware detection tools before
final packaging and delivery
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
44
C
Recording Assessment Findings
To help assure consistency across O-TTPS accreditation applications, the guidelines in this section should
be followed.
C.1
Recording Final Observations
Below is an example of one requirement table from the Accreditation Package Document, which will
initially be completed by the Organization with information on where the Assessor can find the applicable
Evidence of Conformance for each item/row. The last column “Assessor Comment” is where the
Assessor will record their Assessment findings for each item in the table. The Assessor may use this table
to record and revise their findings throughout the Assessment process should they choose to, but they
must record their final findings in the Assessor Comment Column in the final Accreditation Package
Document before submitting it to the Accreditation Authority.
During the Assessment, if the finding is that the evidence provided indicates conformance, the Assessor
will indicate this by completing the mandatory Assessor Comment column.
The minimum content of the Assessor Comment column for each requirement is:
•
Date conformance was established
•
Assessor or Assessor(s) responsible for the specific finding
•
Evidence assessed (which of the recommended types of evidence was examined, or if alternative
evidence was considered why it was determined to be equivalent)
•
Assessment method employed (e.g., documentation audit, direct inspection, face-to-face
interview, web conference, interview conference call, photograph inspection, video recording,
online system audit)
•
Rationale for PASS
PD_DES.01
A process shall exist that assures the requirements are addressed in the design.
Required Types of Process
Evidence
Product Design Process, Product Requirements Management Process
Recommended/Suggested
Types of Implementation
Evidence
Design artifacts, requirements traceability report, quality assurance, audit reports
Process ID
Product No
Evidence File Name
Description of Evidence
Pointer
within
Evidence
Assessor
Comment
Process Evidence
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
45
Product
Design
Process
Product
Requirements
Process
[Add more rows if needed]
Implementation Evidence for each Selected Representative Product
P1
[Add more rows if needed]
P…
[Add more rows if needed]
C.2
Determining the Assessment Outcome
For each and every requirement, the Assessor must determine whether a PASS finding can be asserted
and, if so, completes the Assessor Comment column to record the basis of that finding.
C.3
Completing the Assessment Report
The final step is to complete the Assessment Report, which is part of the Assessment Package Document
– and is included here for illustration. The Assessor completes all of the fields, with the information
described below and submits it to the Accreditation Authority.
Table 1: Assessment Report Template
Organization
[As defined in the Conformance Statement.]
Authorized Signatory of the
Organization
[Printed name and signature of Authorized Signatory. The Signature
means that the Organization has reviewed the report and concurs with
the findings.]
Report Submission Date
[The date the report is submitted to the Accreditation Authority.]
Acceptance Date
[The date the report is approved by the Accreditation Authority.]
Assessment Organization Name and ID
[Must be an O-TTPS Recognized Assessor (Company)]
Assessment Team Leader Name and ID
[Printed name and signature of Assessment Team Leader. This is the
individual who will “sign-off” on the Assessment Report. Must have
met the O-TTPS Assessor criteria, passed the O-TTPS Assessor
Examination, and be employed or contracted by an O-TTPS Recognized
Assessor (Company).]
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
46
Assessors who participated
in the Assessment
[Names of all of the Assessors who participated in the Assessment. Must
have met the O-TTPS Assessor criteria, passed the O-TTPS Assessor
Examination, and be employed or contracted by an O-TTPS Recognized
Assessor (Company).]
O-TTPS Accreditation Requirements
Version
[O-TTPS Accreditation Requirements version number.]
Assessment Team Recommendation
Designated Accreditation Authority
Individual
[Approving report]
Approved Assessment Outcome
Open Trusted Technology Provider™ Standard (O-TTPS): Assessment Procedures
47